Santa Clara, Calif., December 17, 2014 – Palo Alto Networks® (NYSE: PANW), the leader in enterprise security, today revealed details of a backdoor contained in millions of Android-based mobile devices sold by Coolpad, one of the world’s largest smartphone manufacturers based in China. The backdoor, named “CoolReaper,” exposes users to potential malicious activity and appears to have been installed and maintained by Coolpad despite objections from customers.

It is common for device manufacturers to install software on top of Google’s Android mobile operating system to provide additional functionality and customization to Android devices, and some mobile carriers install applications that gather data on device performance. Following detailed analysis by Unit 42, the Palo Alto Networks threat intelligence team, CoolReaper appears to operate well beyond the collection of basic usage data, acting as a true backdoor into Coolpad devices. Coolpad also appears to have modified a version of the Android OS to make it much more difficult for antivirus programs to detect the backdoor.

CoolReaper, which was discovered by Palo Alto Networks researcher Claud Xiao, has been identified on 24 phone models sold by Coolpad, meaning a potential impact to over 10 million users based on publicly-obtainable Coolpad sales information.

Background and Effects of CoolReaper

The full findings related to CoolReaper were published today in “CoolReaper: The Coolpad Backdoor,” a new report from Unit 42 written by Claud Xiao and Ryan Olson. In the report, Palo Alto Networks has also published a list of files to check for in Coolpad devices that may indicate the presence of the CoolReaper backdoor.

As observed by researchers, CoolReaper can perform each of the following tasks, any of which might put sensitive user or corporate data at risk. In addition, malicious attackers could exploit a vulnerability found in CoolReaper’s back-end control system.

CoolReaper can:

Download, install, or activate any Android application without user consent or notification.
Clear user data, uninstall existing applications, or disable system applications.
Notify users of a fake over-the-air (OTA) update that doesn’t update the device, but installs unwanted applications.
Send or insert arbitrary SMS or MMS messages into the phone.
Dial arbitrary phone numbers.
Upload information about the device, its location, application usage, calling and SMS history to a Coolpad server.

Coolpad Acknowledgment

Unit 42 began observing what came to be known as CoolReaper following numerous complaints from Coolpad customers in China posted to Internet message boards. In November, a researcher working with Wooyun.org identified a vulnerability in the back-end control system for CoolReaper, which made clear how Coolpad itself controls the backdoor in the software. In addition, a Chinese news site, Aqniu.com, reported some details of the backdoor’s existence and its abuses in an article published November 20, 2014.

As of December 17, 2014, Coolpad did not respond to multiple requests for assistance by Palo Alto Networks. Google’s Android Security Team also has been provided with the data contained in the report.

Protecting Users

All known samples of CoolReaper have been marked as malicious in WildFire™, a key component of the Palo Alto Networks Threat Intelligence Cloud that helps identify threats from applications by executing them in a virtual environment, and automatically sharing them with Palo Alto Networks GlobalProtect to identify affected devices.

In addition, all known Command & Control URLs used by CoolReaper are identified as malicious in Palo Alto Networks Threat Prevention products, allowing customers to prevent data exfiltration, even if the Command & Control servers or URLs change.

Palo Alto Networks has also made signatures available to detect and block malicious CoolReaper Command & Control traffic, which are effective even if the Command & Control server changes to a new location.

The CoolReaper findings further reinforce the need for comprehensive mobile security using a combination of traffic inspection along with threat intelligence for both the detection and prevention of dangerous applications. GlobalProtect from Palo Alto Networks provides organizations with protection against advanced cyber threats, including the ability to continuously analyze mobile content for covert or malicious activity.

About the SFTA

The South Florida Technology Alliance (SFTA) promotes the growth, success and awareness of the regional technology community. Through events, networking, programs and education, we provide south Florida’s technology-related companies, academic institutions, entrepreneurs, governments and related organizations with an active forum to grow the business of technology in our region.

Get ready for some great IT, virtualization, network, software and other conversations with some of the best people in South Florida’s IT community (including YOU!). SFTA MEMBERS! Please sign in and register as an SFTA[...]

Get ready for some great IT, virtualization, network, software and other conversations with some of the best people in South Florida’s IT community (including YOU!). SFTA MEMBERS! Please sign in and register as an SFTA[...]

Get ready for some great IT, virtualization, network, software and other conversations with some of the best people in South Florida’s IT community (including YOU!). SFTA MEMBERS! Please sign in and register as an SFTA[...]

ABOUT SFTA

SFTA is a non-profit business organization that fosters the growth and success of IT hardware, software and services providers and users in South Florida by offering relevant industry programs, networking and business development opportunities. SFTA is the winner of the 2008 Miami Chamber of Commerce – Technology Award and runner-up in 2009. We have affiliations and partnerships with every major, recognized group in South Florida.
SFTA Monthly reaches out to over 3,000 technology individuals in South Florida. The value of SFTA membership and sponsorship is awareness and “pushing” of your company to members and friends of SFTA. Are you ready to build your organization’s awareness and contribute to the IT business community?